Smart Grid promises to radically change the face of energy technology today; however, along the way, it creates threat vectors that can leave utility companies vulnerable to a whole new realm of attacks. Besides these new threats, utility companies are also affected by the uncertain economic times, thus investments are receiving more scrutiny from local PUCs (Public Utility Commissions), as it becomes increasingly difficult to recover this cost from consumers. Fewer dollars devoted to securing the critical infrastructures and the increase in regulatory compliance enforcement, have security professionals scrambling; utility companies are being forced to trim development and maximize their budgets without extra resources.
Another threat is the lack of enforceable Smart Grid security standards for the power distribution grids; the only enforceable standard being circulated in the industry today, is the NERC CIP standard, which only applies to generation and transmission. There’s no shortage of great guidelines, such as, NISTIR 7628, NIST 800-82 (Industrial Control Systems Security), NIST 800-82 (Industrial Control Systems Security), Cyber Assessment Methods for SCADA Security, Guide to Critical Infrastructure Protection Cyber Vulnerability Assessment, and Security Framework for Control System Data Classification and Protection just to name a few, but the lack of enforceable standards leaves utilities not knowing where to go and confused about which guidelines are appropriate for their needs.
This wait-and-see approach, while Smart Grid technologies are being deployed in the grid, will only make interoperability among these technologies more difficult, as vendors are adopting their own security approaches and proprietary technologies.
What should you do?
Instead of taking the wait-and-see approach and continue deploying insecure devices in your infrastructure, while waiting to see if your vendor decides to implement security into their devices, go “back to basics”.
Identify assets, systems, networks, people and functions that are critical to your business; this information will be important for a risk assessment approach to security. Due to these doubtful economic times, utilities need to be diligent in the way they invest their money, and a risk-based approach is not only diligent, but provides a framework for continuous improvement to enhance protection of critical systems.
The best way to perform your first assessment or verify your current results is to engage a third-party, a consulting company that provides vulnerability and penetration test assessment services, with experience in the utility industry. (Utility experience is one requirement that you should make sure you put on your RFPs.)
Once you have your results, go back to your risk framework and prioritize based on which identified risks will have the most impact to the business if realized. This priority list, along with an educated assessment and justification, will provide management a strategic security plan to improve your security posture and implement a continuous improvement program.
Once your program has been approved, the process of developing and implementing effective protective measures can be broken down into three steps:
- Determining needs;
- Analyze your priority list and what tools and programs are needed.
- Design your security program;
- Design your protective program approach.
- Develop your continuous improvement program;
- Make sure you implement a repeatable strategy.
Last but not least, “measure.” Implementing repeatable processes requires that you measure their effectiveness and continue to improve them.
These steps will assist your organization in improving security while the industry works to find a standard approach that everyone in the energy industry can emulate. Meanwhile, remember this:
Identify – Assess – Prioritize – Implement – Measure
What is your security approach? I would like to hear from you, please leave a comment.